Sunday, July 10, 2011

Introduction

With the current economic conditions, companies have been trying to do more with less by recycling old hardware and utilizing open source software. That's also true where I work. Between our call center, finance, distribution, warehouse, and sales departments over 50% of the company's employees are running on RHEL4 LTSP thin clients. Recently it was decided to update our LTSP environment from RHEL4 to Ubuntu 10.04 with LTSPv5. Using the following steps, I was able to setup and integrate an Ubuntu 10.04 LTSPv5 server into a Windows 2008 Active Directory domain.

Assumptions

It is assumed that you have a Windows 2008 Active Directory Domain setup and working properly along with a DHCP server. Your domain controller can be your DHCP server or you can setup a different box to distribute the DHCP leases. If your domain controller or DHCP server are not setup, please set these up first. It is also assumed that the reader has some basic Linux experience. You will need to know how to move around in the Linux terminal, install applications, and edit files using vi or nano.

Moving forward it's advisable to have a second root terminal open just in case something doesn't work as expected. Happens to the best of us :o)
I would recommend creating a "linux_admins" group in Active Directory and adding it to the /etc/sudoers file. An alternative is to add the "domain admins" group and to login using the administrator account.

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
%linux_admins ALL=(ALL) ALL

Thin Client Setup

To make things easier for my thin client users I installed the XPGnome theme. You can download it from here. The only change that I made to the stock install was that I modified the Start menus. I then installed Adobe Reader 9 and Skype.
I did have a problem with the "Log Out" icon not showing up. To fix it I found an icon on Google that was 48x48 and then used Gimp to scale it down to 32x32, 24x24, 22x22, and 16x16. Rename the icon system-log-out.png and save it to /usr/share/icons/GnomeXP/{icon size}/actions.
The final result looks like this.

To make these settings the default for all users that login to thinserver, copy from your home folder (or the user's home folder that installed the XPGnome theme) the .config, .gconf, .icons, .local, and .themes folders to /etc/skel. Remember moving forward any changes that you make that you want to apply to everyone will need to be copied over also.

Mounting Windows Shares at Login

There are a couple of ways to do this in Linux but I finally decided on using Bash and Perl scripts in conjunction with Ubuntu's "Startup Applications" to handle the mounting of Windows shares. I will include all scripts in this tutorial so that you can modify them to fit your environment and improve them as you see fit.
Before we continue, make sure that the NETLOGON share from dc.domain.internal is mounted on thinserver.domain.internal. I created a generic domain account that has permissions to only list the contents of the AD. For the sake of this example that account name is "public" with the password of "password".
Create a folder to mount the share to.

sudo mkdir /mnt/logon

Mount the NETLOGON share by adding this entry into your /etc/fstab file.

The scripts used depend on each user having their own login batch file in the NETLOGON share and their own share on server.domain.internal. Here is a batch file for user "John Doe" with username "jdoe". The batch file name is jdoe.bat. You can use just one batch file and hardcode the name into the script.

@echo off
NET USE S: \\server\common
NET USE T: \\server\IT

Create the win_share.sh script and save it to /usr/local/bin/. The win_share.sh script checks to see if the .mount.sh and .umount.sh scripts for the user logging in exist and if they do delete them. It then creates new .mount.sh and .umount.sh scripts by running the /usr/local/bin/mount.pl Perl script. Finally it mounts the users shares by running the .mount.sh script. The user shouldn't get prompted for a password since the script uses Kerberos to authenticate on server.domain.internal.

Once you have win_share.sh and mount.pl scripts in place, create the "Startup Application" to run it at login. To create the "Startup Application" go to "Preferences/Startup Applications".

Removing Windows Shares at Log off

To remove the Windows shares that were mounted at login I used pam_script.so. Pam_script is a PAM module that among other things will allow you to run scripts at session login and logoff. The reason why I didn't use pam_script for the login is because it runs as root and the win_share.sh and mount.pl scripts depend on the $USER variable. Download the libpam-script package from here.
Install libpam-script:

sudo dpkg -i libpam-script_1.1.4-1_i386.deb

This is the .umount.sh script that was created from the mount.pl Perl script for the user jdoe.

Passwordless SSH with Kerberos

One of the benefits of having a Kerberos enabled server is that you can now enable passwordless login via SSH. To make this work you need to have both your Linux workstation and server on the domain with Kerberos configured correctly.
Make these changes in the /etc/ssh/sshd_config file on thinserver: